Re: Postfix behind NAT -> failover IP -> wrong HELO
On 6/30/20 6:40 PM, Wietse Venema wrote: Istvan Prosinger: On 6/30/20 10:34 PM, Wietse Venema wrote: Istvan Prosinger: On 6/30/20 9:49 PM, Wietse Venema wrote: Istvan Prosinger: Hi, I hope this letter finds you well, I have Postfix behind NAT, and added one failover IP to the main router. I wanted to "get by cheaply" by just doing something like iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to on the firewall machine. So, all well, the only problem is that Postfix in this case has a wrong HELO compared to the rDNS that I have defined for the It does throw a warning that the doesn't resolve to it's hostname, but I'm not sure if I can define some kind of helo_host_maps ;) to resolve this. At this point, I wouldn't mind if someone pinpoints me to the right direction. Postfix does not compare the HELO command argument with forward or reverse DNS information. Antispam engines on the recipient side do Thanks for clearing uo that 'It does throw a warning' is not talking about Postfix. Every MTA behind a NAT should send HELO to external hists using the name of the outside NAT IP address. Use smtp_helo_name. This is clear. But my problem is that I do the (pre)nating on the firewall, I don't change any config for Postfix. To simplify the question, it's - is it possible to have it use the correct HELO depending on the outbound IP set on the firewall? I do not change any relay maps, I just default it to anouther outbound IP on the firewall. Firewalls on a moving IP address? What has the world come to. Assuming that Postfix runs on the firewall, otherwise you will need to add telepathic vision to Postfix and also set smtp_proxy_address to avoid "mail loops back to myself" errors. host1_mynetworks = output from "postconf mynetworks" with external address 1 bind1_address = 1.2.3.4 bind2_address = 1.2.3.5 smtp_helo_name = ${ {$mynetworks} == {$host1_mynetworks} ? {$bind1_address} : {$bind2_address} } It's really better to execute a command that sets both the external address AND Postfix settings. Wietse Wietse's solution is better. what he said. --Curtis
Re: Postfix behind NAT -> failover IP -> wrong HELO
It's part of the config in main.cf You can specify "myhostname" myhostname = host.domain.tld Cheers, Curtis On 6/30/20 4:55 PM, Istvan Prosinger wrote: On 6/30/20 10:34 PM, Wietse Venema wrote: Istvan Prosinger: On 6/30/20 9:49 PM, Wietse Venema wrote: Istvan Prosinger: Hi, I hope this letter finds you well, I have Postfix behind NAT, and added one failover IP to the main router. I wanted to "get by cheaply" by just doing something like iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to on the firewall machine. So, all well, the only problem is that Postfix in this case has a wrong HELO compared to the rDNS that I have defined for the It does throw a warning that the doesn't resolve to it's hostname, but I'm not sure if I can define some kind of helo_host_maps ;) to resolve this. At this point, I wouldn't mind if someone pinpoints me to the right direction. Postfix does not compare the HELO command argument with forward or reverse DNS information. Antispam engines on the recipient side do Thanks for clearing uo that 'It does throw a warning' is not talking about Postfix. Every MTA behind a NAT should send HELO to external hists using the name of the outside NAT IP address. Use smtp_helo_name. This is clear. But my problem is that I do the (pre)nating on the firewall, I don't change any config for Postfix. To simplify the question, it's - is it possible to have it use the correct HELO depending on the outbound IP set on the firewall? I do not change any relay maps, I just default it to anouther outbound IP on the firewall. best, Istvan
Re: Postfix behind NAT -> failover IP -> wrong HELO
On 30 Jun 2020, at 15:40, Istvan Prosinger wrote: Hi, I hope this letter finds you well, I have Postfix behind NAT, and added one failover IP to the main router. I wanted to "get by cheaply" by just doing something like iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to ip> on the firewall machine. So, all well, the only problem is that Postfix in this case has a wrong HELO compared to the rDNS that I have defined for the IP> It does throw a warning that the doesn't resolve to it's hostname, but I'm not sure if I can define some kind of helo_host_maps ;) to resolve this. At this point, I wouldn't mind if someone pinpoints me to the right direction. Can't you just fix the DNS? Use a HELO name that resolves to both IPs and give both IPs PTR records that point back to the name you use. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
Re: Log entry timestamp
Antonio Leding: > Hello Postfix community, > > Does anyone know if it is possible to configure, within Postfix, > the timestamp used for log messages? > > I know I can setup a template in rsyslog but would rather do this > in Postfix if possible. Postfix uses the syslog(3) API which has no date formatting. Postfix built-in maillog_file logging behaves like syslog(3). Wietse
Re: Postfix behind NAT -> failover IP -> wrong HELO
Istvan Prosinger: > > > On 6/30/20 10:34 PM, Wietse Venema wrote: > > Istvan Prosinger: > >> > >> On 6/30/20 9:49 PM, Wietse Venema wrote: > >>> Istvan Prosinger: > Hi, I hope this letter finds you well, > > I have Postfix behind NAT, and added one failover IP to the main router. > > I wanted to "get by cheaply" by just doing something like > > iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to > > on the firewall machine. > > So, all well, the only problem is that Postfix in this case has a wrong > HELO compared to the rDNS that I have defined > for the > It does throw a warning that the doesn't resolve to it's > hostname, but I'm not sure if I can define some > kind of helo_host_maps ;) to resolve this. > At this point, I wouldn't mind if someone pinpoints me to the right > direction. > >>> > >>> Postfix does not compare the HELO command argument with forward or > >>> reverse DNS information. > >> > >> Antispam engines on the recipient side do > > > > Thanks for clearing uo that 'It does throw a warning' is not > > talking about Postfix. > > > > Every MTA behind a NAT should send HELO to external hists using > > the name of the outside NAT IP address. Use smtp_helo_name. > > This is clear. But my problem is that I do the (pre)nating on the > firewall, I don't change any config for Postfix. To simplify the > question, it's - is it possible to have it use the correct HELO > depending on the outbound IP set on the firewall? I do not change > any relay maps, I just default it to anouther outbound IP on the > firewall. Firewalls on a moving IP address? What has the world come to. Assuming that Postfix runs on the firewall, otherwise you will need to add telepathic vision to Postfix and also set smtp_proxy_address to avoid "mail loops back to myself" errors. host1_mynetworks = output from "postconf mynetworks" with external address 1 bind1_address = 1.2.3.4 bind2_address = 1.2.3.5 smtp_helo_name = ${ {$mynetworks} == {$host1_mynetworks} ? {$bind1_address} : {$bind2_address} } It's really better to execute a command that sets both the external address AND Postfix settings. Wietse
Log entry timestamp
Hello Postfix community, Does anyone know if it is possible to configure, within Postfix, the timestamp used for log messages? I know I can setup a template in rsyslog but would rather do this in Postfix if possible. Thanks in advance... — Tony —
Re: Postfix behind NAT -> failover IP -> wrong HELO
On 6/30/20 10:34 PM, Wietse Venema wrote: Istvan Prosinger: On 6/30/20 9:49 PM, Wietse Venema wrote: Istvan Prosinger: Hi, I hope this letter finds you well, I have Postfix behind NAT, and added one failover IP to the main router. I wanted to "get by cheaply" by just doing something like iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to on the firewall machine. So, all well, the only problem is that Postfix in this case has a wrong HELO compared to the rDNS that I have defined for the It does throw a warning that the doesn't resolve to it's hostname, but I'm not sure if I can define some kind of helo_host_maps ;) to resolve this. At this point, I wouldn't mind if someone pinpoints me to the right direction. Postfix does not compare the HELO command argument with forward or reverse DNS information. Antispam engines on the recipient side do Thanks for clearing uo that 'It does throw a warning' is not talking about Postfix. Every MTA behind a NAT should send HELO to external hists using the name of the outside NAT IP address. Use smtp_helo_name. This is clear. But my problem is that I do the (pre)nating on the firewall, I don't change any config for Postfix. To simplify the question, it's - is it possible to have it use the correct HELO depending on the outbound IP set on the firewall? I do not change any relay maps, I just default it to anouther outbound IP on the firewall. best, Istvan
Re: Postfix behind NAT -> failover IP -> wrong HELO
Istvan Prosinger: > > On 6/30/20 9:49 PM, Wietse Venema wrote: > > Istvan Prosinger: > >> Hi, I hope this letter finds you well, > >> > >> I have Postfix behind NAT, and added one failover IP to the main router. > >> > >> I wanted to "get by cheaply" by just doing something like > >> > >> iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to > >> > >> on the firewall machine. > >> > >> So, all well, the only problem is that Postfix in this case has a wrong > >> HELO compared to the rDNS that I have defined > >> for the > >> It does throw a warning that the doesn't resolve to it's > >> hostname, but I'm not sure if I can define some > >> kind of helo_host_maps ;) to resolve this. > >> At this point, I wouldn't mind if someone pinpoints me to the right > >> direction. > > > > Postfix does not compare the HELO command argument with forward or > > reverse DNS information. > > Antispam engines on the recipient side do Thanks for clearing uo that 'It does throw a warning' is not talking about Postfix. Every MTA behind a NAT should send HELO to external hists using the name of the outside NAT IP address. Use smtp_helo_name. Wietse
Re: Messages in active queue seems to stay long before getting delivered
Thank you Wietse for taking your time to reply to my email. I have ntp running on the mail server so it can't be clock drift. Connecting PCs and servers to the mail server also using ntp (linux) and internet time (windows). I follow your suggestion, cleanup -v in master.cf. I see there are now lines that has postfix/cleanup but a quick glance did not see any errors. I am Getting ready for home so I need to continue looking at this on Thursday, tomorrow is a holiday here (Canada Day) Thank again, Roberto On 2020-06-30 2:59 p.m., Wietse Venema wrote: Roberto Fulgado: Hi All, Our mail server seems to hold messages in the active queue longer than it should. Even the ones that are inter-office messages (local mail). I can flush the queue no problem. But if I wait for the mail server to clear the queue on it's own, it'll take around 5 mins. I have another Five minutes suggests that the queue manager is not informed that new mail has entered the queue, or that there is a clock drift problem. - To be informed of new mail, Postfix daemons need to write to the qmgr socket. If there are write errors you can see that with "cleanup -v" in master.cf (changing this requires "postfix reload"). - Postfix skips queue files with an file modification time stamp in the future. That is intended behavior with deferred mail. But it delays new mail if the queue file system is on a different host, and the host clocks are out of sync. Wietse -- Roberto Fulgado DM Service Ltd. Tel: (905)731-0142 ext. 64 Email: rober...@dmtserv.com - On the Internet, no one knows you're using Windows NT -- Submitted by Ramiro Estrugo, restr...@fateware.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Postfix behind NAT -> failover IP -> wrong HELO
On 6/30/20 9:49 PM, Wietse Venema wrote: Istvan Prosinger: Hi, I hope this letter finds you well, I have Postfix behind NAT, and added one failover IP to the main router. I wanted to "get by cheaply" by just doing something like iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to on the firewall machine. So, all well, the only problem is that Postfix in this case has a wrong HELO compared to the rDNS that I have defined for the It does throw a warning that the doesn't resolve to it's hostname, but I'm not sure if I can define some kind of helo_host_maps ;) to resolve this. At this point, I wouldn't mind if someone pinpoints me to the right direction. Postfix does not compare the HELO command argument with forward or reverse DNS information. Wietse Antispam engines on the recipient side do best, Istvan
Re: Postfix behind NAT -> failover IP -> wrong HELO
Istvan Prosinger: > Hi, I hope this letter finds you well, > > I have Postfix behind NAT, and added one failover IP to the main router. > > I wanted to "get by cheaply" by just doing something like > > iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to > > on the firewall machine. > > So, all well, the only problem is that Postfix in this case has a wrong HELO > compared to the rDNS that I have defined > for the > It does throw a warning that the doesn't resolve to it's > hostname, but I'm not sure if I can define some > kind of helo_host_maps ;) to resolve this. > At this point, I wouldn't mind if someone pinpoints me to the right direction. Postfix does not compare the HELO command argument with forward or reverse DNS information. Wietse
Re: Milter protocol deleting and adding the same recipient
Mehmet Avcioglu: > Hello, > > It looks like there is difference in postfix implementation of milter > protocol regarding adding and deleting recipients compared to sendmail. > > The following results in one final recipient on sendmail but no recipients > on postfix while still logging nrcpt=2 > > del_rcpt "" > add_rcpt "al...@domain.com" > del_rcpt "" > add_rcpt "al...@domain.com" > > Jun 28 16:15:00 server postfix/smtpd[264815]: connect from > server.local[127.0.0.1] > Jun 28 16:15:14 server postfix/smtpd[264815]: 49vrhL14pvzBGTn: > client=server.local[127.0.0.1] > Jun 28 16:15:21 server postfix/cleanup[264963]: 49vrhL14pvzBGTn: > message-id=<49vrhL14pvzBGTn@server.local> > Jun 28 16:15:21 server postfix/qmgr[264819]: 49vrhL14pvzBGTn: from=< > sen...@domain.com>, size=378, nrcpt=2 (queue active) > Jun 28 16:15:21 server postfix/qmgr[264819]: 49vrhL14pvzBGTn: removed > Jun 28 16:15:22 server postfix/smtpd[264815]: disconnect from > server.local[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 > > From what I understand the duplicate filter suppresses the address. Is this > desired behavior? Well we can't simply turn off duplicate filter when a recipient is added (back) by a milter. Incorrect solution: Suppose you have an alias expansion: f...@example.com -> b...@example.com, f...@example.com, b...@example.com You delete f...@example.com from the queue file, and then disable the duplicate filter while adding it back with a milter. Then, adding f...@example.com back would result in another alias expansion: f...@example.com -> b...@example.com, f...@example.com, b...@example.com and because the duplicate filter is turned off, all addresses would be added again to the queue file. That is annoying when the alias is small, but could be bad if there alias is large. Postfix should work for 'small' and 'large' alias expansions. Also incorrect solution: An alternative, disabling alias expansion AND duplicate filtering while adding a recipient by milter, would break Postfix compatibility for cases where people rely on virtual alias expansion of recipients added by a milter. Correct solution: The correct fix would that the 'delete recipient' method reads the to-be-deleted recipient from the queue file, and then requests that the address be removed from the duplicate filter. Then, adding back f...@example.com will produce the expected result: a new f...@example.com recipient and no duplicate b...@example.com or b...@example.com address. Wietse
Postfix behind NAT -> failover IP -> wrong HELO
Hi, I hope this letter finds you well, I have Postfix behind NAT, and added one failover IP to the main router. I wanted to "get by cheaply" by just doing something like iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to on the firewall machine. So, all well, the only problem is that Postfix in this case has a wrong HELO compared to the rDNS that I have defined for the It does throw a warning that the doesn't resolve to it's hostname, but I'm not sure if I can define some kind of helo_host_maps ;) to resolve this. At this point, I wouldn't mind if someone pinpoints me to the right direction. Thanks, and all the best, Istvan
Re: Messages in active queue seems to stay long before getting delivered
Roberto Fulgado: > Hi All, > > Our mail server seems to hold messages in the active queue longer than > it should. Even the ones that are > inter-office messages (local mail). I can flush the queue no problem. > But if I wait for the mail server > to clear the queue on it's own, it'll take around 5 mins. I have another Five minutes suggests that the queue manager is not informed that new mail has entered the queue, or that there is a clock drift problem. - To be informed of new mail, Postfix daemons need to write to the qmgr socket. If there are write errors you can see that with "cleanup -v" in master.cf (changing this requires "postfix reload"). - Postfix skips queue files with an file modification time stamp in the future. That is intended behavior with deferred mail. But it delays new mail if the queue file system is on a different host, and the host clocks are out of sync. Wietse
Messages in active queue seems to stay long before getting delivered
Hi All, Our mail server seems to hold messages in the active queue longer than it should. Even the ones that are inter-office messages (local mail). I can flush the queue no problem. But if I wait for the mail server to clear the queue on it's own, it'll take around 5 mins. I have another mail server on the works to replace this current one and it doesn't seem to exhibit the delay. I checked my resolver, hosts file. I even use each other server's main.cf file but the current mail server still have that 5 min delay in delivering messages. It's no big deal since I will be switching to the new mail server in a week or so. It's just for my own sanity. Thanks, -- Roberto Fulgado DM Service Ltd. Tel: (905)731-0142 ext. 64 Email: rober...@dmtserv.com - Virtue is not left to stand alone. He who practices it will have neighbors. -- Confucius -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Milter protocol deleting and adding the same recipient
Hello, It looks like there is difference in postfix implementation of milter protocol regarding adding and deleting recipients compared to sendmail. The following results in one final recipient on sendmail but no recipients on postfix while still logging nrcpt=2 del_rcpt "" add_rcpt "al...@domain.com" del_rcpt "" add_rcpt "al...@domain.com" Jun 28 16:15:00 server postfix/smtpd[264815]: connect from server.local[127.0.0.1] Jun 28 16:15:14 server postfix/smtpd[264815]: 49vrhL14pvzBGTn: client=server.local[127.0.0.1] Jun 28 16:15:21 server postfix/cleanup[264963]: 49vrhL14pvzBGTn: message-id=<49vrhL14pvzBGTn@server.local> Jun 28 16:15:21 server postfix/qmgr[264819]: 49vrhL14pvzBGTn: from=< sen...@domain.com>, size=378, nrcpt=2 (queue active) Jun 28 16:15:21 server postfix/qmgr[264819]: 49vrhL14pvzBGTn: removed Jun 28 16:15:22 server postfix/smtpd[264815]: disconnect from server.local[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 >From what I understand the duplicate filter suppresses the address. Is this desired behavior? Thanks -- Mehmet